Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Changing Passwords For the New Year?

Posted by timothy on from the just-use-2012-and-your-initials dept.

New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

8 of 339 comments (clear)

  1. one a year?? what about places where it's 30 days by Joe_Dragon · · Score: 4, Funny

    but it's the new year time to change password12 to password1

  2. Re:http://xkcd.com/936/ by kurthr · · Score: 4, Funny

    I only use correct_horse_battery_staple now that I know how hard it is to guess!

  3. Re:http://xkcd.com/936/ by Ambvai · · Score: 3, Funny

    I use a variant of that: Pick a line from a song you know well. It also works well with monthly rotations: Just pick the nth line from the song. Admittedly, last time I had a problem with that when I needed somebody else to use my account and they couldn't spell Ipanema...

  4. Re:1Password by Anonymous Coward · · Score: 5, Funny

    To whoever stole my account, please give it back.

  5. Re:Technique for security "questions" by DamnStupidElf · · Score: 5, Funny

    My password files just look like this:
    user: damnstupidelf
    pass: glintprickjuliatrunkwouldexcelhymnallearhopbloat
    first girlfriend: razeblazetrudytdmoltnobitalysankassetzd
    high school: actsdrurybyrneavailprofit'llsjmeaddrawpave
    some_other_weakest_link_in_site_security_question: alleysandalohmichead60fendweighhamlinwillstout

    I sign up for site accounts using email addresses at random domains that will expire soon. No chance of plaintext password-reset emails being sent out and intercepted unless the site uses a non-SSL third party relay.

    The password files are symmetrically encrypted with a passphrase that isn't used anywhere else. Long diceware passphrases are immune to rainbow tables, dictionary and brute force attacks, and rubber hose cryptanalysis (I can't remember them), although some worthless sites limit the length of password form fields (shouldn't the site salt and hash passphrases to a fixed number of bits immediately, thus negating the need to limit the length? Yes.) and I have to revert to uuencoding 16 bytes from /dev/random.

    The password files are on an encrypted partition using an ephemeral key on a netbook and there's a generator for power outages longer than a couple hours. Alt-SysRq-B has been modified to wipe RAM before rebooting. I hooked up a USB heart monitor as an actual deadman switch to use when I sleep.

    NO ONE is getting my WoW forum credentials.

  6. Re:http://xkcd.com/936/ by datavirtue · · Score: 3, Funny

    I just login everywhere with FaceBook!! Problem solved!

    --
    I object to power without constructive purpose. --Spock
  7. Re:Congratulations by Ihmhi · · Score: 3, Funny

    Of course they know this, he just advertised it on a the goddamned Slashdot frontpage!

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  8. Re:http://xkcd.com/936/ by mini+me · · Score: 3, Funny

    My bank has the same requirement. However, it is only enforced in Javascript. Disable the JS check, and you can use any password you want.